Fork me on GitHub

How to build secure non-Wicket-component based pages?

When using the IFrame Perspective Plugin, it's probably easy to use some Servlet or JSP or any other Servlet compliant technologies to create pages embedded inside the IFrame perspective.

However, in this case, some concerns arise. For example,

  • How can we secure the pages inside the IFrame perspective, allowing access only to authenticated users in CMS?
  • In the page inside the IFrame perspective, how can we use the same JCR session as the current authenticated CMS user is using?
  • ...

The solution is quite easy actually. Basically Apache Wicket provides org.apache.wicket.protocol.http.servlet.WicketSessionFilter which lets you access WicketSession in your non-Wicket-component based Servlet/JSP or any other Servlet compliant applications.

As a simple example, let's suppose you want to embed /cms/examples/whoweare.jsp page in the IFrame perspective and you want to use the JCR session for the currently authenticated CMS user. In this case, you should add the following in cms/WEB-INF/web.xml. 


  <!-- SNIP -->

  <!-- The WicketSesionFilter can be used to provide thread local access to Servlet/JSP, etc. -->
  <filter>
    <filter-name>WicketSessionFilter</filter-name>
    <filter-class>org.apache.wicket.protocol.http.servlet.WicketSessionFilter</filter-class>
    <init-param>
      <param-name>filterName</param-name>
      <!-- expose the session of the CMS app -->
      <param-value>CMS</param-value>
    </init-param>
  </filter>

  <!-- SNIP -->

  <!-- couple the session filter to any Servlet-compliant pages mapped by /examples/*. -->
  <filter-mapping>
    <filter-name>WicketSessionFilter</filter-name>
    <url-pattern>/examples/*</url-pattern>
  </filter-mapping>

  <!-- SNIP -->

Note: Please note that WicketSessionFilter filter-mapping should be placed after any other built-in CMS Wicket filters.

Then any pages mapped by /examples/* can get the Wicket Session to secure the page like the following example: 

    org.apache.wicket.Session wicketSession = null;

    try {
        wicketSession = org.apache.wicket.Session.get();
    } catch (Exception ignore) {
    }

    if (wicketSession == null) {
        // wicket session is unavailable, meaning the request is not from CMS-authenticated user!
        response.sendError(403);
        return;
    }

You can also get CMS JCR session like the following example, too: 

    org.hippoecm.frontend.session.UserSession userSession = org.hippoecm.frontend.session.UserSession.get();
    javax.jcr.Session jcrSession = userSession.getJcrSession();

Please check out Demo Application for a working example.